From 84bf8e5c2236aef75ad07a7fbf0cc0141cd7e884 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Pialasse <jpp@koozali.org>
Date: Sun, 22 Sep 2024 22:43:22 -0400
Subject: [PATCH] * Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org>
 11.0.0-9.sme - remove reference to deprecated rssh [SME: 12670] - template
 /etc/pam.d/sshd to remove motd [SME: 12740]

---
 createlinks                                   | 19 +----
 .../e-smith/db/accounts/migrate/50rsshRemoval | 15 ++++
 .../e-smith/templates/etc/pam.d/sshd/20auth   |  3 +
 .../templates/etc/pam.d/sshd/30account        |  3 +
 .../templates/etc/pam.d/sshd/40password       |  1 +
 .../templates/etc/pam.d/sshd/50session        | 11 +++
 .../templates/etc/pam.d/sshd/template-begin   |  0
 .../templates/etc/rssh.conf/10logfacility     |  1 -
 .../e-smith/templates/etc/rssh.conf/10umask   |  1 -
 .../e-smith/templates/etc/rssh.conf/40users   | 22 -----
 smeserver-openssh.spec                        | 85 ++++++++++---------
 11 files changed, 80 insertions(+), 81 deletions(-)
 create mode 100644 root/etc/e-smith/db/accounts/migrate/50rsshRemoval
 create mode 100644 root/etc/e-smith/templates/etc/pam.d/sshd/20auth
 create mode 100644 root/etc/e-smith/templates/etc/pam.d/sshd/30account
 create mode 100644 root/etc/e-smith/templates/etc/pam.d/sshd/40password
 create mode 100644 root/etc/e-smith/templates/etc/pam.d/sshd/50session
 create mode 100644 root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
 delete mode 100644 root/etc/e-smith/templates/etc/rssh.conf/10logfacility
 delete mode 100644 root/etc/e-smith/templates/etc/rssh.conf/10umask
 delete mode 100644 root/etc/e-smith/templates/etc/rssh.conf/40users

diff --git a/createlinks b/createlinks
index 4d933aa..17ef984 100755
--- a/createlinks
+++ b/createlinks
@@ -6,7 +6,8 @@ use esmith::Build::CreateLinks qw(:all);
 foreach (qw(
     /etc/ssh/sshd_config
     /etc/ssh/ssh_config    
-	))
+    /etc/pam.d/sshd
+))
 {
     templates2events("$_", qw(
 	console-save
@@ -16,22 +17,6 @@ foreach (qw(
 	));
 }
 
-foreach (qw(
-    /etc/rssh.conf
-	))
-{
-    templates2events("$_", qw(
-	bootstrap-console-save
-	password-modify
-	remoteaccess-update
-	user-lock
-	user-create
-	user-delete
-	user-modify
-	smeserver-openssh-update
-	));
-}
-
 foreach my $event (
     "console-save",
     "bootstrap-console-save",
diff --git a/root/etc/e-smith/db/accounts/migrate/50rsshRemoval b/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
new file mode 100644
index 0000000..1fa9952
--- /dev/null
+++ b/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
@@ -0,0 +1,15 @@
+{
+    # Remove AllowRSSH propertie
+    # Reset Shell property if /usr/bin/rssh
+
+    foreach my $account ($DB->get_all)
+    {
+    if (defined $account->prop('Shell') && ($account->prop('Shell') eq "/usr/bin/rssh") )
+        {
+        $account->delete_prop('Shell');
+        }
+    next unless (defined $account->prop('AllowRSSH'));
+    $account->delete_prop('AllowRSSH');
+    }
+}
+
diff --git a/root/etc/e-smith/templates/etc/pam.d/sshd/20auth b/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
new file mode 100644
index 0000000..0d803f9
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth       substack     password-auth
+auth       include      postlogin
diff --git a/root/etc/e-smith/templates/etc/pam.d/sshd/30account b/root/etc/e-smith/templates/etc/pam.d/sshd/30account
new file mode 100644
index 0000000..beab821
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/30account
@@ -0,0 +1,3 @@
+account    required     pam_sepermit.so
+account    required     pam_nologin.so
+account    include      password-auth
diff --git a/root/etc/e-smith/templates/etc/pam.d/sshd/40password b/root/etc/e-smith/templates/etc/pam.d/sshd/40password
new file mode 100644
index 0000000..29e9f82
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/40password
@@ -0,0 +1 @@
+password   include      password-auth
diff --git a/root/etc/e-smith/templates/etc/pam.d/sshd/50session b/root/etc/e-smith/templates/etc/pam.d/sshd/50session
new file mode 100644
index 0000000..883ad13
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/50session
@@ -0,0 +1,11 @@
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+#we use the sshd_config file to call motd
+#session    optional     pam_motd.so
+session    include      password-auth
+session    include      postlogin
diff --git a/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin b/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
new file mode 100644
index 0000000..e69de29
diff --git a/root/etc/e-smith/templates/etc/rssh.conf/10logfacility b/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
deleted file mode 100644
index d9cc217..0000000
--- a/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
+++ /dev/null
@@ -1 +0,0 @@
-logfacility = LOG_USER 
diff --git a/root/etc/e-smith/templates/etc/rssh.conf/10umask b/root/etc/e-smith/templates/etc/rssh.conf/10umask
deleted file mode 100644
index 8d9793e..0000000
--- a/root/etc/e-smith/templates/etc/rssh.conf/10umask
+++ /dev/null
@@ -1 +0,0 @@
-umask = 022
diff --git a/root/etc/e-smith/templates/etc/rssh.conf/40users b/root/etc/e-smith/templates/etc/rssh.conf/40users
deleted file mode 100644
index 7f2b9cb..0000000
--- a/root/etc/e-smith/templates/etc/rssh.conf/40users
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-    use esmith::AccountsDB;
-
-    my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
-
-    $OUT = '';
-
-    for my $user ( $adb->users )
-    {
-	my %props = $user->props;
-	$props{AllowRSSH} ||= 'unknown';
-
-	next unless ($props{PasswordSet} eq 'yes');
-
-	next if ($props{AllowRSSH} eq 'no');
-
-	next unless ($props{AllowRSSH} eq 'yes' or
-		$props{VPNClientAccess} eq 'yes');
-
-	$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
-    }
-}
diff --git a/smeserver-openssh.spec b/smeserver-openssh.spec
index 2abe1c8..c09d7dc 100644
--- a/smeserver-openssh.spec
+++ b/smeserver-openssh.spec
@@ -4,7 +4,7 @@ Summary: smeserver module to configure and enable ssh
 %define name smeserver-openssh
 Name: %{name}
 %define version 11.0.0
-%define release 8
+%define release 9
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -23,7 +23,51 @@ Requires: runit
 Provides: e-smith-openssh
 AutoReqProv: no
 
+%description
+smeserver server enhancement to configure and enable openssh
+
+%prep
+%setup
+rm -rf  root/var/service root/service
+
+%build
+perl createlinks
+# build the test suite from embedded tests
+/sbin/e-smith/buildtests e-smith-openssh
+
+%install
+rm -rf $RPM_BUILD_ROOT
+( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
+rm -f %{name}-%{version}-%{release}-filelist
+
+/sbin/e-smith/genfilelist \
+    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
+    --dir '/var/log/sshd' 'attr(2750,root,root)' \
+    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
+    $RPM_BUILD_ROOT \
+    > %{name}-%{version}-%{release}-filelist
+
+echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f %{name}-%{version}-%{release}-filelist
+%defattr(-,root,root)
+
+%pre
+if [ $1 -gt 1 ] ; then
+  if [ -e /var/service/sshd/run ] ; then
+       /usr/bin/sv d sshd
+       /usr/bin/sv d sshd/log
+  fi
+fi
+
 %changelog
+* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
+- remove reference to deprecated rssh [SME: 12670]
+- template /etc/pam.d/sshd to remove motd [SME: 12740]
+
 * Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
 - fix new log does not fill after log rotate [SME: 12690]
 
@@ -668,42 +712,3 @@ AutoReqProv: no
 * Thu May 11 2000 Charlie Brady <charlieb@e-smith.net>
 - Change rc?.d directory from 3 to 7.
 
-%description
-smeserver server enhancement to configure and enable openssh
-
-%prep
-%setup
-rm -rf  root/var/service root/service
-
-%build
-perl createlinks
-# build the test suite from embedded tests
-/sbin/e-smith/buildtests e-smith-openssh
-
-%install
-rm -rf $RPM_BUILD_ROOT
-( cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT )
-rm -f %{name}-%{version}-%{release}-filelist
-
-/sbin/e-smith/genfilelist \
-    --file '/sbin/e-smith/systemd/sshd-prepare' 'attr(0554,root,root)' \
-    --dir '/var/log/sshd' 'attr(2750,root,root)' \
-    --dir '/var/empty/sshd' 'attr(0711,root,root)' \
-    $RPM_BUILD_ROOT \
-    > %{name}-%{version}-%{release}-filelist
-
-echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%files -f %{name}-%{version}-%{release}-filelist
-%defattr(-,root,root)
-
-%pre
-if [ $1 -gt 1 ] ; then
-  if [ -e /var/service/sshd/run ] ; then
-       /usr/bin/sv d sshd
-       /usr/bin/sv d sshd/log
-  fi
-fi